Google Cloud Professional Data Engineer — Question 316

Government regulations in the banking industry mandate the protection of clients' personally identifiable information (PII). Your company requires PII to be access controlled, encrypted, and compliant with major data protection standards. In addition to using Cloud Data Loss Prevention (Cloud DLP), you want to follow
Google-recommended practices and use service accounts to control access to PII. What should you do?

Answer options

• A. Assign the required Identity and Access Management (IAM) roles to every employee, and create a single service account to access project resources.
• B. Use one service account to access a Cloud SQL database, and use separate service accounts for each human user.
• C. Use Cloud Storage to comply with major data protection standards. Use one service account shared by all users.
• D. Use Cloud Storage to comply with major data protection standards. Use multiple service accounts attached to IAM groups to grant the appropriate access to each group.

Correct answer: D

Explanation

The correct answer is D because using multiple service accounts allows for fine-grained access control, ensuring that only the appropriate IAM groups have access to the PII as required by regulations. Option A is incorrect as assigning IAM roles to every employee does not restrict access appropriately. Option B is not ideal because it limits access to the Cloud SQL database and doesn't adequately address PII access control. Option C fails to implement the necessary segmentation of access needed for compliance.